def _setup_nss_db_services(conf):
"""Sets up NSS Crypto functions
This sets up the NSSCryptoProvider and the database it needs for it to
store certificates. If the path specified in the configuration is already
existent, it will assume that the database is already setup.
This will also import the transport cert needed by the KRA if the NSS DB
was created.
"""
nss_db_path, nss_password = (conf.dogtag_plugin.nss_db_path,
conf.dogtag_plugin.nss_password)
if nss_db_path is None:
LOG.warning(u._LW("nss_db_path was not provided so the crypto "
"provider functions were not initialized."))
return None
if nss_password is None:
raise ValueError(u._("nss_password is required"))
nss_db_created = _create_nss_db_if_needed(nss_db_path, nss_password)
crypto = cryptoutil.NSSCryptoProvider(nss_db_path, nss_password)
if nss_db_created:
_import_kra_transport_cert_to_nss_db(conf, crypto)
return crypto
def _call_pkcs11(self, func, *args, **kwargs):
# Wrap pkcs11 calls to enable a single retry when exceptions are raised
# that can be fixed by reinitializing the pkcs11 library
try:
return func(*args, **kwargs)
except (exception.PKCS11Exception) as pe:
LOG.warning(u._LW("Reinitializing PKCS#11 library: %s"), pe)
self._reinitialize_pkcs11()
return func(*args, **kwargs)
def on_get(self, external_project_id, **kwargs):
if controllers.is_json_request_accept(pecan.request):
resp = self._on_get_secret_metadata(self.secret, **kwargs)
LOG.info(u._LI('Retrieved secret metadata for project: %s'),
external_project_id)
return resp
else:
LOG.warning(
u._LW('Decrypted secret %s requested using deprecated '
'API call.'), self.secret.id)
return self._on_get_secret_payload(self.secret,
external_project_id, **kwargs)
def on_get(self, external_project_id, **kwargs):
if controllers.is_json_request_accept(pecan.request):
resp = self._on_get_secret_metadata(self.secret, **kwargs)
LOG.info(u._LI('Retrieved secret metadata for project: %s'),
external_project_id)
return resp
else:
LOG.warning(u._LW('Decrypted secret %s requested using deprecated '
'API call.'), self.secret.id)
return self._on_get_secret_payload(self.secret,
external_project_id,
**kwargs)
def _wrap(*args, **kwargs):
try:
return f(*args, **kwargs)
except sqlalchemy.exc.OperationalError as e:
if not is_db_connection_error(e.args[0]):
raise
remaining_attempts = CONF.sql_max_retries
while True:
LOG.warning(u._LW('SQL connection failed. %d attempts left.'),
remaining_attempts)
remaining_attempts -= 1
time.sleep(CONF.sql_retry_interval)
try:
return f(*args, **kwargs)
except sqlalchemy.exc.OperationalError as e:
if (remaining_attempts <= 0
or not is_db_connection_error(e.args[0])):
raise
except sqlalchemy.exc.DBAPIError:
raise
except sqlalchemy.exc.DBAPIError:
raise
def __init__(self, conf=CONF):
"""Initializes KMIPSecretStore
Creates a dictionary of mappings between SecretStore enum values
and pyKMIP enum values. Initializes the KMIP client with credentials
needed to connect to the KMIP server.
"""
super(KMIPSecretStore, self).__init__()
self.valid_alg_dict = {
ss.KeyAlgorithm.AES: {
KMIPSecretStore.VALID_BIT_LENGTHS: [128, 192, 256],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.AES
},
ss.KeyAlgorithm.DES: {
KMIPSecretStore.VALID_BIT_LENGTHS: [56],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.DES
},
ss.KeyAlgorithm.DESEDE: {
KMIPSecretStore.VALID_BIT_LENGTHS:
[56, 64, 112, 128, 168, 192],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.TRIPLE_DES
},
ss.KeyAlgorithm.DSA: {
KMIPSecretStore.VALID_BIT_LENGTHS: [1024, 2048, 3072],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.DSA
},
ss.KeyAlgorithm.HMACSHA1: {
KMIPSecretStore.VALID_BIT_LENGTHS: [],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.HMAC_SHA1
},
ss.KeyAlgorithm.HMACSHA256: {
KMIPSecretStore.VALID_BIT_LENGTHS: [],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.HMAC_SHA256
},
ss.KeyAlgorithm.HMACSHA384: {
KMIPSecretStore.VALID_BIT_LENGTHS: [],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.HMAC_SHA384
},
ss.KeyAlgorithm.HMACSHA512: {
KMIPSecretStore.VALID_BIT_LENGTHS: [],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.HMAC_SHA512
},
ss.KeyAlgorithm.RSA: {
KMIPSecretStore.VALID_BIT_LENGTHS: [1024, 2048, 3072, 4096],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.RSA
},
}
self.pkcs1_only = conf.kmip_plugin.pkcs1_only
if self.pkcs1_only:
LOG.debug("KMIP secret store only supports PKCS#1")
del self.valid_alg_dict[ss.KeyAlgorithm.DSA]
self.kmip_barbican_alg_map = {
enums.CryptographicAlgorithm.AES: ss.KeyAlgorithm.AES,
enums.CryptographicAlgorithm.DES: ss.KeyAlgorithm.DES,
enums.CryptographicAlgorithm.TRIPLE_DES: ss.KeyAlgorithm.DESEDE,
enums.CryptographicAlgorithm.DSA: ss.KeyAlgorithm.DSA,
enums.CryptographicAlgorithm.HMAC_SHA1: ss.KeyAlgorithm.HMACSHA1,
enums.CryptographicAlgorithm.HMAC_SHA256:
ss.KeyAlgorithm.HMACSHA256,
enums.CryptographicAlgorithm.HMAC_SHA384:
ss.KeyAlgorithm.HMACSHA384,
enums.CryptographicAlgorithm.HMAC_SHA512:
ss.KeyAlgorithm.HMACSHA512,
enums.CryptographicAlgorithm.RSA: ss.KeyAlgorithm.RSA
}
self.plugin_name = conf.kmip_plugin.plugin_name
if conf.kmip_plugin.keyfile is not None:
self._validate_keyfile_permissions(conf.kmip_plugin.keyfile)
if (conf.kmip_plugin.username is None) and (conf.kmip_plugin.password
is None):
self.credential = None
else:
credential_type = credentials.CredentialType.USERNAME_AND_PASSWORD
credential_value = {
'Username': conf.kmip_plugin.username,
'Password': conf.kmip_plugin.password
}
self.credential = (
credentials.CredentialFactory().create_credential(
credential_type, credential_value))
config = conf.kmip_plugin
# Use TLSv1_2, if present
tlsv12 = getattr(ssl, "PROTOCOL_TLSv1_2", None)
if tlsv12:
config.ssl_version = 'PROTOCOL_TLSv1_2'
LOG.info(u._LI('Going to use TLS1.2...'))
else:
LOG.warning(u._LW('TLSv1_2 is not present on the System'))
self.client = client.ProxyKmipClient(hostname=config.host,
port=config.port,
cert=config.certfile,
key=config.keyfile,
ca=config.ca_certs,
ssl_version=config.ssl_version,
username=config.username,
password=config.password)
def __init__(self, conf=CONF):
self.master_kek = conf.simple_crypto_plugin.kek
LOG.warning(u._LW("This plugin is NOT meant for a production "
"environment. This is meant just for development "
"and testing purposes. Please use another plugin "
"for production."))
from barbican import api
from barbican.api import controllers
from barbican.common import hrefs
from barbican.common import quota
from barbican.common import resources as res
from barbican.common import utils
from barbican.common import validators
from barbican import i18n as u
from barbican.model import models
from barbican.model import repositories as repo
from barbican.queue import client as async_client
LOG = utils.getLogger(__name__)
_DEPRECATION_MSG = u._LW('%s has been deprecated in the Newton release. It '
'will be removed in the Pike release.')
def _order_not_found():
"""Throw exception indicating order not found."""
pecan.abort(
404, u._('Not Found. Sorry but your order is in '
'another castle.'))
def _secret_not_in_order():
"""Throw exception that secret info is not available in the order."""
pecan.abort(400, u._("Secret metadata expected but not received."))
def _order_update_not_supported():
def __init__(self, conf=CONF):
"""Initializes KMIPSecretStore
Creates a dictionary of mappings between SecretStore enum values
and pyKMIP enum values. Initializes the KMIP client with credentials
needed to connect to the KMIP server.
"""
super(KMIPSecretStore, self).__init__()
self.valid_alg_dict = {
ss.KeyAlgorithm.AES: {
KMIPSecretStore.VALID_BIT_LENGTHS: [128, 192, 256],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.AES},
ss.KeyAlgorithm.DES: {
KMIPSecretStore.VALID_BIT_LENGTHS: [56],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.DES},
ss.KeyAlgorithm.DESEDE: {
KMIPSecretStore.VALID_BIT_LENGTHS:
[56, 64, 112, 128, 168, 192],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.TRIPLE_DES},
ss.KeyAlgorithm.DSA: {
KMIPSecretStore.VALID_BIT_LENGTHS:
[1024, 2048, 3072],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.DSA},
ss.KeyAlgorithm.HMACSHA1: {
KMIPSecretStore.VALID_BIT_LENGTHS:
[],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.HMAC_SHA1},
ss.KeyAlgorithm.HMACSHA256: {
KMIPSecretStore.VALID_BIT_LENGTHS:
[],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.HMAC_SHA256},
ss.KeyAlgorithm.HMACSHA384: {
KMIPSecretStore.VALID_BIT_LENGTHS:
[],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.HMAC_SHA384},
ss.KeyAlgorithm.HMACSHA512: {
KMIPSecretStore.VALID_BIT_LENGTHS:
[],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.HMAC_SHA512},
ss.KeyAlgorithm.RSA: {
KMIPSecretStore.VALID_BIT_LENGTHS:
[1024, 2048, 3072, 4096],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.RSA},
}
self.pkcs1_only = conf.kmip_plugin.pkcs1_only
if self.pkcs1_only:
LOG.debug("KMIP secret store only supports PKCS#1")
del self.valid_alg_dict[ss.KeyAlgorithm.DSA]
self.kmip_barbican_alg_map = {
enums.CryptographicAlgorithm.AES: ss.KeyAlgorithm.AES,
enums.CryptographicAlgorithm.DES: ss.KeyAlgorithm.DES,
enums.CryptographicAlgorithm.TRIPLE_DES: ss.KeyAlgorithm.DESEDE,
enums.CryptographicAlgorithm.DSA: ss.KeyAlgorithm.DSA,
enums.CryptographicAlgorithm.HMAC_SHA1: ss.KeyAlgorithm.HMACSHA1,
enums.CryptographicAlgorithm.HMAC_SHA256:
ss.KeyAlgorithm.HMACSHA256,
enums.CryptographicAlgorithm.HMAC_SHA384:
ss.KeyAlgorithm.HMACSHA384,
enums.CryptographicAlgorithm.HMAC_SHA512:
ss.KeyAlgorithm.HMACSHA512,
enums.CryptographicAlgorithm.RSA: ss.KeyAlgorithm.RSA
}
if conf.kmip_plugin.keyfile is not None:
self._validate_keyfile_permissions(conf.kmip_plugin.keyfile)
if (conf.kmip_plugin.username is None) and (
conf.kmip_plugin.password is None):
self.credential = None
else:
credential_type = credentials.CredentialType.USERNAME_AND_PASSWORD
credential_value = {'Username': conf.kmip_plugin.username,
'Password': conf.kmip_plugin.password}
self.credential = (
credentials.CredentialFactory().create_credential(
credential_type,
credential_value))
config = conf.kmip_plugin
# Use TLSv1_2, if present
tlsv12 = getattr(ssl, "PROTOCOL_TLSv1_2", None)
if tlsv12:
config.ssl_version = 'PROTOCOL_TLSv1_2'
LOG.info(u._LI('Going to use TLS1.2...'))
else:
LOG.warning(u._LW('TLSv1_2 is not present on the System'))
self.client = client.ProxyKmipClient(
hostname=config.host,
port=config.port,
cert=config.certfile,
key=config.keyfile,
ca=config.ca_certs,
ssl_version=config.ssl_version,
username=config.username,
password=config.password)
